On Fri, 2014-12-19 at 18:10 +0100, David Engster wrote: > What is the best way with libgnutls do see whether a certificate is > self-signed? I'm guessing you have to compare issuer with subject, but > is there a preferred way to do that? From RFC5280 it seems to me that > this comparison is not trivial to do, but maybe for self-signed they > really always match byte for byte?
gnutls doesn't follow the rfc5280 comparison for DNs. It does a memcmp() to check if they are identical, and you are safe if you do that too. For two reasons, (1) adding an elaborate parsing layer to ensure identify may introduce bugs which allow false positives in the comparison, (2) it is unnecessary; there is no software that generates certificates with spacing differences or case-differences on the DN, that is the relic from the time where DNs were copied by a human using a keyboard and not by memcpy(). Said that, the easiest way to check for a self-signed certificate is using gnutls_x509_crt_check_issuer() against itself. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
